security-audit
SKILL.md
security-audit
A hostile-by-design, fail-closed audit workflow for codebases and OpenClaw/ClawHub skills.
It does not try to answer “does this skill work?”. It tries to answer: “can this skill betray the system?”
What it checks (high level)
This skill’s scripts combine multiple layers:
- Secrets / credential leakage: trufflehog
- Static analysis: semgrep (auto rules)
- Hostile repo audit (custom): prompt-injection signals, persistence mechanisms, suspicious artifacts, dependency hygiene
If any layer fails, the overall audit is FAIL.